In ev_view_get_height_to_page, the "height" or "dual_height"
pointer can be set. If dual_height is set, the dual_height buffer
is used. Using the "normal" height cache in dual view causes
an out of bounds read. So we restrict the cache accesses to their
relevant buffers.
https://bugzilla.gnome.org/show_bug.cgi?id=771612

Bookmarks shouldn't be sorted by their titles but their page
numbers. Often titles don't have any sorting text, causing
strcmp to wrongly sort them alphanumerically, just like in the
bug referenced below.
https://bugzilla.gnome.org/show_bug.cgi?id=772277

Use g_utf8_collate_key_for_filename to convert the page filenames
into collation keys in order to compare using strcmp().
This prevents pages named such as page1, page2, page10, to be
sorted as page1, page10, page2...
https://bugzilla.gnome.org/show_bug.cgi?id=770695

When handling tar files, or using a command with tar-compatible syntax,
to open comic-book archives, both the archive name (the name of the
comics file) and the filename (the name of a page within the archive)
are quoted to not be interpreted by the shell.
But the filename is completely with the attacker's control and can start
with "--" which leads to tar interpreting it as a command line flag.
This can be exploited by creating a CBT file (a tar archive with the
.cbt suffix) with an embedded file named something like this:
"--checkpoint-action=exec=bash -c 'touch ~/hacked;'.jpg"
CBT files are infinitely rare (CBZ is usually used for DRM-free
commercial releases, CBR for those from more dubious provenance), so
removing support is the easiest way to avoid the bug triggering. All
this code was rewritten in the development release for GNOME 3.26 to not
shell out to any command, closing off this particular attack vector.
This also removes the ability to use libarchive's bsdtar-compatible
binary for CBZ (ZIP), CB7 (7zip), and CBR (RAR) formats. The first two
are already supported by unzip and 7zip respectively. libarchive's RAR
support is limited, so unrar is a requirement anyway.
Discovered by Felix Wilhelm from the Google Security Team.
https://bugzilla.gnome.org/show_bug.cgi?id=784630